Nearly a billion people worldwide travel every year and in doing so entrust to airlines, cruise lines, hotels, rental car companies, tour operators and travel agents personal information regarding their identities including social security numbers, credit card numbers and so forth, all of which is of value to governments, hackers, marketers and competitors. How safe is your personal information from being taken without your knowledge or consent?
Airlines & The Government
In 2005 there were several class actions brought by passengers claiming that some airlines invaded their privacy and made available to the U.S. government their personal information [see In re JetBlue Airways Corp. Privacy Litigation (โPlaintiffs claim that defendant [violated their] privacy rights by unlawfully transferring their personal information to [Torch Concepts, Inc.] for use in a federally-financed study on military base security. Plaintiffs seek a minimum of $1,000 in damages per class memberโ; complaint dismissed); In re American Airlines, Inc. Privacy Litigation (class action by passengers โallegedly injured when defendants…authorized Airline Automations, Inc. to disclose highly confidential passenger information-passenger name records…to (TSA) without the passengerโs consentโ); In re Northwest Airlines Privacy Litigation (class of passengers alleged โinvasion of privacy, trespass to property, negligent misrepresentation, breach of contract and breach of express warranties [because] Northwestโs website contained a privacy policy that stated that Northwest would not share customersโ information except as necessary to make customerโs travel arrangementsโ and violated policy by making information available to NASA which was studying ways to increase airline security; complaint dismissed); Dyer v. Northwest Airlines Corp. (class of passengers allege violation of Electronic Communications Privacy Act for disclosing private information without consent; complaint dismissed)].
Rental Car Companies
In Najarian v. Avis Rent A Car System โdefendants printed the expiration date of Plaintiffโs VISA card on a Check Out Rental Agreement provided to Plaintiffs…(who) allege that defendants knew or recklessly disregarded that its use of cash registers that did not comply with the law and that [by] printing of Prohibited Information on customer receipts and thus defendantโs (alleged) violations of the Fair Credit Reporting Act (FCRA) were โwillfulโ for the purposes of the FCRAโ; class certification denied).
Hotels: Hackers Are Welcome
Recently some hotels have been the subject of โdata breachesโ by hungry hackers. In Federal Trade Commission v. Wyndham Worldwide Corporation, the FTC charged that a hospitality company and its subsidiaries engaged in unfair and deceptive trade practices in violation of the Federal Trade Commission Act by failing to maintain reasonable data security to protect guests from theft of their personal information.
Wyndhamโs Computer System & Websites
โWyndham Worldwide is in the hospitality business…Under these agreements (defendants) require each Wyndham-branded hotel to purchase-and โconfigure to their specificationsโ-a designated computer system that…handles reservations and payment card transactions. This system (โproperty management systemโ) stores consumersโ personal information, โincluding names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates and security codesโ…computer network โincludes its central reservation systemโ that โcoordinates reservations across the Wyndham brandโ and, using (defendantsโ) website, consumers can make reservations at any Wyndham-branded hotelโโ
Failure To Provide Reasonable Security
โThe FTC alleges that, since at least April 2008, Wyndham โfailed to provide reasonable and appropriate security for the personal information collected and maintained by (defendants)…โ by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumer personal data to unauthorized access and theftโ. As a result…Between April 2008 and January 2010 intruders gained unauthorized access-on three separate occasions to (defendantsโ) computer networkโ.
Data Breaches & Damages
โThe three data breaches (caused) the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumersโ accounts and more than $10.6 million in fraud loss. Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs and lost access to funds or creditโ.
Unfairness: Data Insufficiencies
The Court found that the FTC sufficiently pled claims under the FTC Act for unfairness by specifically setting forth data security insufficiencies which included (1)โfailing to employ firewalls; (2) permitting โstorage of payment card information in clear readable textโ; (3) failing to make sure Wyndham-branded hotels โimplemented adequate information security policies and procedures prior to connecting their local computer networks to (defendantsโ) computer networkโ; (4) permitting Wyndham-branded hotels โto connect insecure servers to (defendantsโ) networks, including servers using outdated operating systems that could not receive security updates or patches to address known security vulnerabilitiesโ; (5) permitting โservers on (defendantsโ) networks with commonly-known default user Ids and passwordsโ; (6) failing to โemploy commonly-used methods to require user Ids and passwords that are difficult for hackers to guessโ; (7) failing to โadequately inventory computers connected to (defendantsโ) networkโ to manage devices on its network; (8) failing to โmonitor (defendantsโ) computer network for malware used in a previous intrusion and (9) failing to restrict third-party access โsuch as by restricting connections to specified IP addresses or granting temporary, limited access, as necessaryโ.
Deception: Misrepresentations
The Court also found that the FTC sufficiently pled deception. โIn this claim, the FTC cites the Defendantโs privacy policy disseminated on (defendantsโ) website and alleges that โin conjunction with the advertising, marketing, promotion, offering for sale, or sale of hotel services. Defendants have represented, directly or indirectly, expressly or by implication, that they had implemented reasonable and appropriate measures to protect personal property against unauthorized accessโ-but that โDefendants did not implement reasonable and appropriate measures to protect personal information against unauthorized accessโ.
Accordingly, the FTC alleges that Defendantsโ representations โare false or misleading and constitute deceptive acts or practicesโโ. See also: Soloway & Bernstein, Protection of Hotel Guest Data and Personal Information, New York Law Journal (8/20/2014).
Other Privacy Cases
There have been other privacy cases involving unauthorized recordings by hotels [see e.g., Simpson v. Vantage Hospitality Group, Inc. (โThis class action arises out of Defendantโs alleged policy and practice of recording and/or intercepting calls made to a hotel reservation hotline without the consent of all partiesโฆPlaintiff alleges one claim for unlawful recording and intercepting of communications pursuant to Cal. Pen. Code…and seek an award of statutory damages ($5,000 per violation)โ; motion to dismiss denied); see similar cases: McCabe v. Six Continents Hotels, Inc. and Roberts v. Wyndham International, Inc.], sale of confidential medical information by pharmacies [see e.g., Anonymous v. CVS Corporation (sale of confidential information by pharmacy going out of business to pharmacy chain without consent of customers; causes of action for breach of fiduciary duty, breach of implied contract and violation of New York consumer protection statute stated; class certification granted)] and more hacking [see e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation (โThis action arises out of a criminal intrusion into a computer network system used to provide online gaming and Internet connectivity via an individualโs gaming console or personal computerโ)] and a more traditional and non-Internet invasion of privacy in a hotel [see e.g., Carter v. Innisfree Hotel, Inc. (โGuest sued hotel for invasion of privacy, breach of contract, negligence, fraud and outrage in connection with alleged โpeeping Tomโ incident in hotel)].
Conclusion
Given the aggressive and seemingly unstoppable efforts of hackers to access personal information, tourists are well advised to be very careful, indeed, in making such information readily available.
The author, Justice Dickerson, been writing about Travel Law for 38 years including his annually-updated law books, Travel Law, Law Journal Press (2014), and Litigating International Torts in U.S. Courts, Thomson Reuters WestLaw (2014), and over 300 legal articles many of which are available at www.nycourts.gov/courts/9jd/taxcertatd.shtml .
This article may not be reproduced without the permission of Thomas A. Dickerson.
WHAT TO TAKE AWAY FROM THIS ARTICLE:
- Avis Rent A Car System โdefendants printed the expiration date of Plaintiff's VISA card on a Check Out Rental Agreement provided to Plaintiffs…(who) allege that defendants knew or recklessly disregarded that its use of cash registers that did not comply with the law and that [by] printing of Prohibited Information on customer receipts and thus defendant's (alleged) violations of the Fair Credit Reporting Act (FCRA) were โwillful' for the purposes of the FCRAโ.
- In re Northwest Airlines Privacy Litigation (class of passengers alleged โinvasion of privacy, trespass to property, negligent misrepresentation, breach of contract and breach of express warranties [because] Northwest's website contained a privacy policy that stated that Northwest would not share customers' information except as necessary to make customer's travel arrangementsโ and violated policy by making information available to NASA which was studying ways to increase airline security.
- Wyndham Worldwide Corporation, the FTC charged that a hospitality company and its subsidiaries engaged in unfair and deceptive trade practices in violation of the Federal Trade Commission Act by failing to maintain reasonable data security to protect guests from theft of their personal information.